-
In Burp's browser, log in to the application using the credentials
wiener:peter. -
In Burp, go to Proxy > HTTP history. Right-click the
POST /loginrequest and select Send to Repeater. -
In Repeater, test the username and password parameters to determine whether they allow you to inject MongoDB operators:
- Change the value of the
usernameparameter from"wiener"to{"$ne":""}, then send the request. Notice that this enables you to log in. - Change the value of the username parameter from
{"$ne":""}to{"$regex":"wien.*"}, then send the request. Notice that you can also log in when using the$regexoperator. - With the username parameter set to
{"$ne":""}, change the value of the password parameter from"peter"to{"$ne":""}, then send the request again. Notice that this causes the query to return an unexpected number of records. This indicates that more than one user has been selected.
- Change the value of the
-
With the password parameter set as
{"$ne":""}, change the value of the username parameter to{"$regex":"admin.*"},then send the request again. Notice that this successfully logs you in as the admin user. -
Right-click the response, then select Show response in browser. Copy the URL.
-
Paste the URL into Burp's browser to log in as the
administratoruser. The lab is solved.
Lab: Exploiting NoSQL operator injection to bypass authentication
The login functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection using MongoDB operators.
To solve the lab, log into the application as the administrator user.
You can log in to your own account using the following credentials: wiener:peter.
Register for free to track your learning progress
-
Practise exploiting vulnerabilities on realistic targets.
-
Record your progression from Apprentice to Expert.
-
See where you rank in our Hall of Fame.
Already got an account? Login here
